Holy cow, I wrote a book!
For example, there were a few programs that responded to
the LVN_GETDISPINFO notification
by overflowing the LVITEM.pszText buffer, writing more
than LVITEM.cchTextMax characters.
Another responded to
by overflowing the pszName buffer, writing more than cchMax characters.
Fortunately, in both cases, the overflow was only one character,
so we were able to fix it by over-allocating the buffer by one and
underreporting its size. That way, if the program overflows the
buffer by one, it doesn't corrupt anything.
Another one overflows one of its own stack buffers if you right-click
on a file whose name is longer than MAX_PATH.
(These files are legal but are hard to create or manipulate.)
Not much we can do to prevent that one.